@umijs/preset-umi
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Provenance adoption is sparse; not a disqualifier for established packages. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): zoomdong07 added to a large, active monorepo team; no other compromise signals present. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are within the @umijs ecosystem and @stagewise/toolbar; consistent with normal UmiJS feature additions. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Large UmiJS monorepo with 526 versions; publisher has established track record with 286 approved packages. | ai | |
| dependencies | unvetted-dep:@umijs/utils | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/bundler-utils | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/bundler-esbuild | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/babel-preset-umi | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/bundler-utoopack | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/ui | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/history | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/did-you-know | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/es-module-parser | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:less-plugin-resolve | AI (dependencies): Known build utility; no malware indicators. | ai | |
| dependencies | unvetted-dep:current-script-polyfill | AI (dependencies): Small polyfill; no malware indicators. | ai | |
| dependencies | unvetted-dep:click-to-react-component | AI (dependencies): Known dev-experience utility; no malware indicators. | ai | |
| phantom-deps | phantom-dep:babel-plugin-react-compiler | AI (phantom-deps): Listed as direct dep in package.json; phantom-dep heuristic false positive. | ai | |
| dependencies | unvetted-dep:@umijs/bundler-mako | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@stagewise/toolbar | AI (dependencies): Dev toolbar utility; no malware indicators. | ai | |
| dependencies | unvetted-dep:@umijs/core | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| dependencies | unvetted-dep:@umijs/mfsu | AI (dependencies): Sibling monorepo package; expected unvetted dep for this package family. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Fires in compiled/os-locale — a bundled devDep for locale detection; not a runtime attack surface. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-package; sparse README/description is expected for internal preset packages. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires in compiled vendor bundles (isnumber/queue-microtask); not malicious, standard minified library code. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Fires in compiled/body-parser — standard HTTP middleware; env read is benign config pattern. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 4.6.57 | 39 / 12 | |
| 4.6.55 | 39 / 12 | |
| 4.6.49 | 39 / 12 | |
| 4.6.48 | 39 / 12 | |
| 4.6.46 | 39 / 12 | |
| 4.6.44 | 39 / 12 | |
| 4.6.42 | 39 / 12 | |
| 4.6.27 | 39 / 12 | |
| 4.6.25 | 39 / 12 | |
| 4.6.24 | 39 / 12 | |
| 4.6.19 | 39 / 12 | |
| 4.6.17 | 39 / 12 | |
| 4.6.16 | 39 / 12 | |
| 4.6.15 | 39 / 12 | |
| 4.6.14 | 39 / 12 | |
| 4.6.13 | 39 / 12 | |
| 4.6.5 | 39 / 12 | |
| 4.6.4 | 39 / 12 | |
| 4.6.3 | 39 / 12 | |
| 4.6.0 | 39 / 12 | |
| 4.5.0 | 39 / 12 | |
| 4.4.12 | 38 / 12 | |
| 4.4.11 | 37 / 12 |
v4.6.57
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.48
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.46
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.42
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2025-09-18, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.4.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.